Michael Mucha: Risk Management at Stanford

idespread implementation of encryption is a top priority at Stanford Hospital and Clinics, thanks, in large part, to the "safe harbor" in the HITECH breach notification rule, says Michael Mucha, information security officer.

Organizations that use the proper form of encryption don't have to report data breaches under the HITECH Act. Mucha says this safe harbor instantly created an obvious return on investment for encryption.

Implementing an event correlation system that aggregates logs and uses business rules to monitor who is accessing information and detect potential internal breaches; and

Updating role-based access to systems.

Palo Alto, Calif.-based Stanford Hospital and Clinics, part of Stanford University Medical Center, recently received a Stage 7 award from HIMSS Analytics. It's one of only a handful of organizations to receive the award in recognition of its advanced implementation of electronic health records and related clinical information systems.

Mucha works with a team of about 30 security and privacy specialists to ensure the information in these systems remains secure.

HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking today with Michael Mucha, information security officer at Stanford Hospital and Clinics. The organization recently received national recognition for its advanced use of clinical information systems. Thanks so much for talking with us today Mike.

MICHAEL MUCHA: Hello. Good morning.

ANDERSON: Stanford Hospital and Clinics recently won recognition from HIMSS Analytics for achieving Stage 7, the most advanced rating for implementation of electronic health records and related clinical systems. Only a handful of organizations have achieved that honor. Please tell us a little bit about the diverse clinical information that physicians and nurses can now access online.

MUCHA: Well the core clinical information is all available online through the Epic EMR system, which includes inpatient records, outpatient, scheduling and billing. We also have integrated some of our other clinical systems such as GE PACS. Radiology images are available through the same EMR interface with Epic, and we are going through integrating a variety of other systems, with our core EMR system being the hub of all of the clinical information.

ANDERSON: And can clinicians access those systems remotely as well as while they are on campus?

MUCHA: Yes. So remote access is a big part of our infrastructure strategy....A lot of our physicians go to conferences, take sabbaticals, take time off, take six months off to work in another academic medical center, for instance, so there is that modern workforce aspect of using the Internet through our clinical portal.

We also have a referring physician portal, which is for our community physicians who aren't Stanford physicians per se but are referring patients to us, and they have a specific portal just for that purpose. And then there is also our patient portal to view your own records.

ANDERSON: I suspect that all of that raises a long list of security issues. What risks did you identify as you were ramping up to Stage 7 level automation? How are you going about addressing those risks?

MUCHA: Well there are two parts to it. One is the obvious benefit of moving things to electronic databases and having all of the feeds of accesses. But then there are opportunities for people who don't have the best intentions to access more records, to run queries, to do malicious things remotely, the kinds of things that you didn't have in a paper-based world.

So you have that double-edged sword, but then you also have to bring the tools that come with an electronic world. We are bringing in an event correlation system where we are aggregating the logs from all of these different clinical and infrastructure systems and then applying business rules on top of that to monitor for if you see someone hunt through 100 records in 300 seconds. There is one of two things that can generally be. It is either someone on a phishing expedition to look to violate people's privacy for a variety of reasons or they can also be a quality check where someone is going through and checking one thing in a bunch of records at a specific time. So we have rules that will look for those things and then sift them depending on what department you are in, which log rule you are using, and applying a new set of tools.